KACE SAML AZURE and Windows Hello


I have successfully configured SAML in KACE SMA to use Azure.   However this only works if I log into my Windows machine using a password.   If I log in to Windows using Face or PIN, KACE SAML fails.

Any ideas?


1 Comment   [ + ] Show comment
  • Are you getting an error message and then asked to login?

    Are you using regular WinHello or Business Windows hello?

    Is this working fine with other SAML tools in your environment?

    I'm asking because the KACE SMA should have little to none interaction with SAML , other than receiving orders, I wonder if there's something with WinHello and SAML here causing the issue?

    (The KACE SMA is asking for password, because SMAL hasn't received the authorization from Windows Hello). - Channeler 10 months ago

Answers (2)

Posted by: ericweintraub 10 months ago
White Belt

Oh I went thru this too. Support got me squared away but I think its something related to ether the:

IdP SLO Binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

(check both remote and local settings)

or in Local IdP Metadata check these settings:

NameIDFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent


I "think" one of those items (or checkboxes) did it for us. The claim is different with hello vs password, we had to reduce the filter by changing one of those parms. If this doesnt work just open a support tix, that's what we did and they sorted it.

  • @ericweintraub

    I used your check boxes and now SAML works using Hello (face and PIN) to log into Windows!

    Many thanks. - Darkplace 10 months ago
Posted by: JMorano 10 months ago
Yellow Belt

@Darkplace currently Kace SAML support does not integrate with Microsoft Windows Hello for Business to support PINS and Facial Recognition.  I would suggest if this feature is something the community at large is needing, putting in a Uservoice request might be a good idea.  Customer Feedback for Quest KACE (uservoice.com)


  • I am fairly sure that isnt true. I logon to KACE most days without entering username or password, simply thru SAML with Windows Hello (usually face but sometimes fingerprint). The way it works is when you unlock your windows desktop with Hello and then you need to do Azure SSO you send over a claim, that claim is totally different if you unlocked the machine with a password vs using a Windows Hello option (pin,face,finger). KACE's default settings dont allow for this other type of claim but using the checkboxes above you can get around that and make it work. It doesnt mean when you logon to the KACE appliance it will force a use of Windows Hello but rather it will accept the more secure claim it provides (its more secure since its not a semi-static password hash but instead a short lived unique token issued thanks to a PKI exchange at time of unlock that uses certs stored in the TPM). Good read up about that here: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token - ericweintraub 10 months ago
    • Thanks @ericweintraub then the real ask is for better in product documentation or a KB. That should be easier to remedy. Thanks :) - JMorano 10 months ago

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ